kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-11-04 04:08:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added checkcsp to health-csp

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-05-13 15:43:17 +02:00
parent 894e31bc3f
commit 3cb4cbf0d2
6 changed files with 22 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
roles/health-csp/README.md
View File

@@ -2,7 +2,7 @@
## Description ## Description
This Ansible role automates the validation of [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) enforcement for all configured domains by crawling them using a Puppeteer-based Node.js script. This Ansible role automates the validation of [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) enforcement for all configured domains by crawling them using a [CSP Checker](https://github.com/kevinveenbirkenbach/csp-checker).
## Overview ## Overview
@@ -15,24 +15,6 @@ Designed for Archlinux systems, this role periodically checks whether web resour
- **Automated Execution:** Registers a systemd service and timer for recurring health checks. - **Automated Execution:** Registers a systemd service and timer for recurring health checks.
- **Error Notification:** Integrates with `systemd-notifier` for alerting on failure. - **Error Notification:** Integrates with `systemd-notifier` for alerting on failure.
## Dependencies
This role depends on the following:
- [`nodejs`](../nodejs/)
- [`npm`](../npm/)
- [`systemd-notifier`](../systemd-notifier/)
- [`systemd-timer`](../systemd-timer/)
## Configuration
Set the following variables to customize behavior:
```yaml
health_csp_crawler_folder: "{{ path_administrator_scripts }}health-csp/"
on_calendar_health_csp_crawler: "daily"
```
## License ## License
CyMaIS NonCommercial License (CNCL) CyMaIS NonCommercial License (CNCL)

2
roles/health-csp/meta/main.yml
View File

@@ -25,5 +25,3 @@ galaxy_info:
documentation: "https://s.veen.world/cymais" documentation: "https://s.veen.world/cymais"
dependencies: dependencies:
- systemd-notifier - systemd-notifier
- nodejs
- npm

36
roles/health-csp/tasks/main.yml
View File

@@ -1,46 +1,44 @@
- name: "pkgmgr install"
include_role:
name: pkgmgr-install
vars:
package_name: checkcsp
when: run_once_backup_docker_to_local is not defined
- name: "create {{ health_csp_crawler_folder }}" - name: "create {{ health_csp_crawler_folder }}"
file: file:
path: "{{ health_csp_crawler_folder }}" path: "{{ health_csp_crawler_folder }}"
state: directory state: directory
mode: 0755 mode: 0755
when: run_once_backup_docker_to_local is not defined
- name: "Install puppeteer if node_modules not yet present"
ansible.builtin.command:
cmd: npm install puppeteer
chdir: "{{ health_csp_crawler_folder }}"
creates: "{{ health_csp_crawler_folder }}/node_modules"
- name: Check if puppeteer is usable
command: node -e "require('puppeteer')"
args:
chdir: "{{ health_csp_crawler_folder }}"
register: puppeteer_check
failed_when: puppeteer_check.rc != 0
- name: copy health-csp.py - name: copy health-csp.py
copy: copy:
src: health-csp.py src: health-csp.py
dest: "{{ health_csp_crawler_script }}" dest: "{{ health_csp_crawler_script }}"
mode: 0755 mode: 0755
when: run_once_backup_docker_to_local is not defined
- name: copy health-csp.js
copy:
src: health-csp.js
dest: "{{ health_csp_crawler_node }}"
mode: 0755
- name: create health-csp.cymais.service - name: create health-csp.cymais.service
template: template:
src: health-csp.service.j2 src: health-csp.service.j2
dest: /etc/systemd/system/health-csp.cymais.service dest: /etc/systemd/system/health-csp.cymais.service
notify: reload health-csp.cymais.service notify: reload health-csp.cymais.service
when: run_once_backup_docker_to_local is not defined
- name: set service_name to role_name - name: set service_name to role_name
set_fact: set_fact:
service_name: "{{ role_name }}" service_name: "{{ role_name }}"
when: run_once_backup_docker_to_local is not defined
- name: include systemd timer role - name: include systemd timer role
include_role: include_role:
name: systemd-timer name: systemd-timer
vars: vars:
on_calendar: "{{ on_calendar_health_csp_crawler }}" on_calendar: "{{ on_calendar_health_csp_crawler }}"
when: run_once_backup_docker_to_local is not defined
- name: run the backup_docker_to_local tasks once
set_fact:
run_once_backup_docker_to_local: true
when: run_once_backup_docker_to_local is not defined

3
roles/health-csp/templates/health-csp.service.j2
View File

@@ -5,5 +5,4 @@ OnFailure=systemd-notifier.cymais@%n.service
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/usr/bin/python3 {{ health_csp_crawler_script }} \ ExecStart=/usr/bin/python3 {{ health_csp_crawler_script }} \
--nginx-config-dir={{ nginx.directories.http.servers }} \ --nginx-config-dir={{ nginx.directories.http.servers }}
--script={{ health_csp_crawler_node }}

1
roles/health-csp/vars/main.yml
View File

@@ -1,3 +1,2 @@
health_csp_crawler_folder: "{{ path_administrator_scripts }}health-csp/" health_csp_crawler_folder: "{{ path_administrator_scripts }}health-csp/"
health_csp_crawler_script: "{{ health_csp_crawler_folder }}health-csp.py" health_csp_crawler_script: "{{ health_csp_crawler_folder }}health-csp.py"
health_csp_crawler_node: "{{ health_csp_crawler_folder }}health-csp.js"

2
roles/nginx/meta/main.yml
View File

@@ -1,3 +1,3 @@
dependencies: dependencies:
- health-nginx - health-nginx
# - health-csp - health-csp